wordpress-vulnerable-scanner

A fast, safe Rust CLI tool for detecting known CVE vulnerabilities in WordPress core, plugins, and themes using the WPVulnerability.net API.

Features

• Multiple input modes - scan live sites, JSON manifests, or specify components directly
• Parallel API requests - fast vulnerability lookups using concurrent requests
• Version-aware filtering - only reports vulnerabilities affecting installed versions
• CVSS scoring - severity levels (Critical/High/Medium/Low) from CVSS scores
• Multiple output formats - human-readable tables or JSON for automation
• Exit codes - integrate with CI/CD pipelines
• Security hardened - URL encoding, file size limits, safe HTTP defaults

Installation

Pre-built binaries

Download from GitHub Releases:

Cargo

cargo install wordpress-vulnerable-scanner

Build from source

git clone https://github.com/robdotec/wordpress-vulnerable-scanner
cd wordpress-vulnerable-scanner
cargo build --release

Quick Start

Scan a live WordPress site

wordpress-vulnerable-scanner https://example.com

Scan with auto-detected scheme

wordpress-vulnerable-scanner example.com

Check specific components

# Check WordPress core version
wordpress-vulnerable-scanner -c 6.4.1

# Check plugins (slug:version format)
wordpress-vulnerable-scanner -p "elementor:3.18.0,contact-form-7:5.8"

# Check themes
wordpress-vulnerable-scanner -t "flavor:1.3.4,flavor-developer:1.3.4"

# Combined check
wordpress-vulnerable-scanner -c 6.4.1 -p "elementor:3.18.0" -t "flavor:1.3.4"

Use JSON manifest from wordpress-audit

# First, audit a WordPress installation
wordpress-audit https://example.com -o json > manifest.json

# Then scan for vulnerabilities
wordpress-vulnerable-scanner -m manifest.json

Filter by severity

# Only show high and critical vulnerabilities
wordpress-vulnerable-scanner example.com --severity high

JSON output for automation

wordpress-vulnerable-scanner example.com -o json | jq '.summary'

Input Modes

Output Formats

Exit Codes

Severity Levels

Based on CVSS v3 scores:

Security

Input Validation

• URL encoding - Component slugs are URL-encoded to prevent injection
• File size limits - Manifest files limited to 10 MB to prevent memory exhaustion
• Safe HTTP defaults - TLS verification enabled, reasonable timeouts

Data Source

Vulnerability data is fetched from WPVulnerability.net, a free CVE database for WordPress.

API Reference

The scanner can also be used as a library:

use wordpress_vulnerable_scanner::{Analyzer, Scanner, Severity};
use wordpress_vulnerable_scanner::output::{OutputConfig, OutputFormat, output_analysis};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Scan a site
    let scanner = Scanner::new("https://example.com")?;
    let scan_result = scanner.scan().await?;

    // Analyze for vulnerabilities
    let analyzer = Analyzer::new()?;
    let analysis = analyzer.analyze(&scan_result).await;

    // Output results
    let config = OutputConfig::new(OutputFormat::Human, Severity::Low);
    let mut stdout = std::io::stdout();
    output_analysis(&analysis, &config, &mut stdout)?;

    Ok(())
}

License

MIT License - see LICENSE for details.